To use Cyware you must have cookies enabled. By Registering or Signing in, you agree to our Terms and Privacy Policy. You can also signup using Google Account. We will not use your credentials to import contacts or post anything on your account without your permission.For more info, please see Login FAQ.

A new wave of cyber attacks targeting unpatched Drupal websites has been uncovered by security researchers. The attack leverages PowerBot malware and is primarily conducted on websites that are vulnerable to Drupalgeddon 2.0.

Researchers at IBM Security’s Managed Security Services discovered that the malicious actors are using the Internet Relay Bot, called PerlBot or Shellbot to gain complete control over the vulnerable Drupal websites. A successful attack can open a backdoor to the websites, allowing attackers to steal data, host malicious content and launch additional attacks.

“To do that, malicious actors often pick a vulnerability and then probe for exploitable sites en masse. Those found unpatched or vulnerable for some other reason might fall under the attacker’s control, which could mean a complete compromise of that site. With this level of control, the attacker has access to the site as a resource from which to steal data, host malicious content or launch additional attacks,” said Noah Adjonyo and Limor Kessem in a blog post.

Modus Operandi

Researchers explained that the attackers leveraged a remote code execution(RCE) vulnerability dubbed as CVE-2018-7600 - also known as Drupalgeddon 2.0 - to launch Shellbot malware in Drupal websites.

Further investigation showed that the unpatched Drupal websites were also vulnerable to another highly critical RCE flaw, title CVE-2018-7602.

When the Shellbot is successfully executed on a website, it connects with Command & Control ((C2) ) server to receive instructions from its controller.

Commenting on the Shellbot’s properties, the researchers said, “The bot contained multiple tools to perform distributed denial-of-service (DDoS) attacks and search for SQL injection weaknesses and other vulnerabilities, including privilege escalation to reach root level on the victimized system.”

Mitigation

The Drupal security team is aware of the reported vulnerability CVE-2018-7600 since at least March 2018. Several security patches to fix the Drupalgeddon 2.0 vulnerability were also released eventually. The users are recommended to upgrade the older versions of Drupal 7 and 8 to 7.58 and 8.51 respectively.

Who we are

Cyware is a first-of-its-kind, comprehensive cyber situational awareness platform, designed to help you stay informed about the latest happenings in the cyber world with expertly curated news stories and updates.

Our Technology

Let IBM's Watson Find the Right News For You

The cyber threat landscape is changing rapidly, and cybersecurity news has claimed its spot on the front pages in recent months. It's not easy to find the right information from tens of thousands of cyber news articles and feeds published every day. Our machine learning based curation engine brings you the most relevant cyber content based on your needs.

Receive Daily Cyber News in Your Inbox

From the latest cyber security trends and innovations to new malware, vulnerabilities and threat intelligence, we bring you the most up-to date and relevant cyber updates and news alerts.